Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bartman10
Contributor

FortiGate Suggestion: Allow Logging to USB

In the past 2-3 years many of my Fortigate devices have lost features due to the removal of internal storage. WAN Acceleration, web cache, logging.. From 90D, 60D, 94D and so on. Many new units also don't come with internal storage 50E. Fortinet, please consider allowing at least logging to a user provided USB device. We could use a USB flash drive or external HD. I understand maybe all 500GB on that HD may not be accessable for logging on say a 30D but something reasonable the device could support would be great!

-It costs Fortinet nothing, and could save Fortinet money.

-Assists in troubleshooting problems with TAC.

-Reduces RMA on devices as only user replaceable USB flash is being used, not affecting internal storage with read/write cycles. -Build loyalty with users like myself by restoring features the unit was sold with.

Users please speak with your sales rep and maybe comment in this post if you'd like to see this feature added.

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.

Over 100 WiFi AP's and growing.

FAZ-200D

FAC-VM 2 node cluster

Friends don't let friends FWF!

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track. Over 100 WiFi AP's and growing. FAZ-200D FAC-VM 2 node cluster Friends don't let friends FWF!
2 Solutions
Baptiste

I consider small box are normaly used for only few users and not all UTM stuffs on and hundred VPN.

On my small box (40C) I don't have big CPU usage (high memory usage : yes), I don't think performance will be impact.

And it could be our choice to loose some perf for logging.

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

View solution in original post

2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
rcarreras
New Contributor III

You can log to forticloud with internet speed and you can not log to local usb because is going to slow down the firewall? 

View solution in original post

15 REPLIES 15
josh
New Contributor

I agree, this is a good idea.

 

I also disagree with the fact it would slow it down. Firewall performance is not dependant on the logging-rate.. If you're excessively logging they'd simply be dropped.. It's not like you're waiting for your logs to commit before processing the next packet through UTM, lol..

bartman10

This is simply speculation and rumor. A made up fantasy that USB logging would slow it down.. There is no merit to it so there is no reason to debate it as fact.

 

The fact is it's not enabled and that's a choice. FYI.. did you know USB logging used to be available in version 4? It's also a fact logging used to be enabled on many low level devices but was removed because of the cheep flash FortiNet chose to used in these devices. Not because of performance.. Because of cost cutting on Fortinets part. 

 

That my friends is the root of this gripe. They have taken away vital features because they choose to use cheep flash in their products. They should have given us an alternative that is equal to the feature they removed. The "free" cloud logging is NOT even close. 

 

But what ever.. many of you don't get the point and want to have deep arguments about USB kernel mode linux drives and crap, how FAZ should be cheaper or what ever.. your missing the point. Simple, local logging is valuable for many users who don't want to run a freaking FAZ.. god never mind.. 

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.

Over 100 WiFi AP's and growing.

FAZ-200D

FAC-VM 2 node cluster

Friends don't let friends FWF!

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track. Over 100 WiFi AP's and growing. FAZ-200D FAC-VM 2 node cluster Friends don't let friends FWF!
emnoc
Esteemed Contributor III

Firewall performance is not dependant on the logging-rate.. If you're excessively logging they'd simply be dropped.

 

That's not 100% true. if you benchmark various firewalls you will see that a lot of models are impacted by packets that are source from the control plane. This is not limited to  FGT either btw.

 

Unless you have a dedicate process for management of   log data, you could indeed impact that thru-put and latency of a firewall. By monitoring the cpu and log-rate b/ps  you can start trending & proper monitoring.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FredMB
New Contributor

+ for this feature.

 

I just bought a 100D for our main office and 60D for a remote office, and I'm really disappointed to see that on the 60D I don't even have real-time logs because there is no disk. 

 

I understand that all policy logging can't be logged in memory and we had to subscribe to FortiCLoud for thant, but the 60D should at least store and display real time logs from memory.

 

And I also agree with rcarreras : I don't understand how logging to Forticloud through internet API can be faster that logging to usb.

billtbyhand

I think a lot of it boils down to providing the ability to locally store logs on external media might impact Fortinet's ability to SELL you FortiAnalyzers and the like.  

There may be technical reasons, but there are definitely business decision reasons too.

Bill Hand Network Administrator D.L. Lee & Sons Inc. 927 Highway 32 E, Alma, GA 31510 (912) 632-4406 Ext. 1131 Bill.hand@dllee.com

Bill Hand Network Administrator D.L. Lee & Sons Inc. 927 Highway 32 E, Alma, GA 31510 (912) 632-4406 Ext. 1131 Bill.hand@dllee.com
Steffi
New Contributor III

pcraponi wrote:
Fortigate has no CPU dedicated to Log/disk usage. So, the I/O speed of a remote USB/disk will affect all Firewall performance... It's the architecture, not business policy.   Others vendors, like Palo Alto (), can do it because they have a "Management Plane" outside of "Dataplane" on hardware architecture.   Fortinet try to solve this putting SSD high performance disks in new "D" devices. But only for 100D and higher. On small devices this impact on hardware price (here we can talking about business policy)
Yes, I also think so. The 30E for example can do a Firewall with 950Mbps, but writing an USB stick once a day is by far too much. I can understand that clearly. It is like with my new Xeon Server: it can well serve theoretically 100 and 1000 of clients, but backing up a config file every day or copying some small files over the network wont work with it, no dedicated CPU. If it is because Fortigate wants to earn money with it, why not? That is not a bad thing, but implemeting an usb port without being to use it, just for some plain stupid backups of config files is a shabby thing.
Top Kudoed Authors